Protect your images with .htaccess
.htaccess files are lovely, lovely things. They do exactly what the name implies: control access to your files. About six months ago, I had problems with a bunch of l33t brats ‘borrowing’ my bandwidth and using a few of my photos on message boards.
So I decided to take their toy away.
A lovely thing about .htaccess files: if you place them in a directory, the conditions and permissions you set up affect all subfolders of that folder. So, if you want to protect all your images, just drop a single .htaccess file in your main images directory, and all subfolders are taken care of.
Here’s the code that I’m using for my .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://YOURSITE.COM/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://WWW.YOURSITE.COM/.*$ [NC]
ReWriteRule .*\.(gif|jpg)$ - [N,F,L]
It’s a good idea to do both yoursite.com and www.yoursite.com. Also, if you know of any other sites that you want to allow to use your images, be sure to add in a line for them in this file.
If the http_referer doesn’t match one of the strings you’ve provided in those lines, the image request will result in a 403 error.
To use this code on your site…
Make sure you can see hidden files (files beginning with a .) with your FTP client. (It’s really hard to edit or delete files you can’t see.) Paste these lines into a blank text document, save it as .htaccess, and upload it to your images directory.
That should be all!
May 7th, 2002 at 2:02 pm
Don’t forget to put in the IP address as well. Sometimes search engines cache the IP and you can lose people that way. Also you can do it directly in the apache config. It’s easy if you’re using virt hosts. I can dig that up if you want to see it. Also in the same .htaccess you can config an error doc for 403 so they don’t get the standard error but an reason why they’re getting the error which is usually a good practice to follow.
May 7th, 2002 at 2:10 pm
Oh yeah, this stuff only works on Apache when the mod_rewrite module is installed. Not all ISP’s install mod_rewrite by default. If you do a phpinfo() you can see if it’s unstalled under the Loaded Modules in the Apache section.
May 7th, 2002 at 2:16 pm
Really? That’s pretty interesting — maybe I’ve just had the good fortune of dealing with good, geeky ISPs. I’ve come to take it for granted that I’d have access to the goodies of mod_rewrite…
May 7th, 2002 at 6:15 pm
Thank you so much Amy, I can definitely use this. I also thought I would mention another line that can be placed in the .htaccess file that will not allow any of the images to be listed (or anything in a specific directory for that matter) in which you do not have a index file.
IndexIgnore *
This way if someone was to snoop in my image file they would see this rather than a complete listing of all the images I may have listed in that file. Make sense?
May 7th, 2002 at 6:16 pm
Thank you so much Amy, I can definitely use this. I also thought I would mention another line that can be placed in the .htaccess file that will not allow any of the images to be listed (or anything in a specific directory for that matter) in which you do not have a index file.
IndexIgnore *
This way if someone was to snoop in my image file they would see this rather than a complete listing of all the images I may have listed in that file. Make sense?
May 7th, 2002 at 9:14 pm
.htaccess is a marvellous thing, indeed.
I am looking forward to a forum of sorts. Often I’m too shy to request things!
And I was wondering, have you thought of inviting Jade to be a goddess? She’s one of my personal favourite php queens, and I’m sure she’d love to be asked.
May 7th, 2002 at 11:21 pm
Question.. say I have a subfolder names pictures, do I put the .htaccess with the code above in that folder? I already have a .htaccess in use and put this code in above, saved and came up with an Internal Error. I fixed it by taking the code back out. So it was no biggie, but wanted to ask and make sure I’m reading this post correctly. Thank you
May 7th, 2002 at 11:28 pm
Can you include multiple lines in one file? For example, I have two sites - http://www.BlahBlahBlog.com and http://www.pixelwannabe.com/pixelog/ - and I pull images from the Pixelog site in to display on BlahBlahBlog (with a PHP include, thanks to you teaching me how to do them last fall!) I want to make sure that *I* can still pull those pictures across, but no one else can.
May 8th, 2002 at 12:22 am
Gina:
All I know to tell you is to watch your cut-and-paste very carefully. The code I pasted in is a direct copy from my current .htaccess file, with ‘domesticat.net’ changed to ‘yoursite.com’ .
Christine:
Copy the third line of the code listed above. Just duplicate that line, and edit it so that each site you want to *allow* is listed. (Don’t forget both with and without the ‘www.’) That should do it for you - try it out.
Everyone:
I’m going on vacation as of tomorrow morning, and will be afk for a few days. I probably won’t be able to check back in again before Sunday.
May 8th, 2002 at 2:05 pm
Oh what a cool tweak! Thanks!
May 10th, 2002 at 11:11 pm
Thank you for calling attention to a very powerful, but little known feature in Apache. I use .htaccess for all kinds of wackiness, especially in conjunction with mod_rewrite.
May 14th, 2002 at 8:02 pm
Amy,
I tried this again, and it worked like a charm. When I copy/pasted the code into my .htaccess, it placed it wrong on the page. So I corrected that and it’s all set.
This is a great thing! Thanks you
May 17th, 2002 at 9:41 am
I’m coming back to this post because I’ve got a couple direct linkers and want to implement it this afternoon.
My question is - I also have a couple of images that I really do want to show up on different domains. For example, when I post on the pixelitas boards, I have several of my linkback graphics showing up under my signiture… and I put up an image here on the css skin for linkback that’s hosted on my site. And I’m sharing 4 domains between my site, so I’d want to let all them to use my images. And some stuff like that…..
So I just list all of my domains that I allow to view my images in that script, right? They don’t have to be on my IP address for this to work? I’m pretty sure thats what the tutorial means it can do…
I’m gonna try this out, and I’ll post back and let ya know how it went 
cooooool!
May 17th, 2002 at 10:05 am
Ok. First up, I’d set up two-line ‘allow’ for each of your domains:
RewriteCond %{HTTP_REFERER} !^http://site1.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.site1.com/.*$ [NC]
There are two ways to handle the linkback graphics. First, you could ‘allow’ from your sites and pixelitas — that’s the easiest way for the time being.
There’s another solution you might want to consider, though. I actually ran into this sort of problem with ezboards. I had a couple of images I wanted to make available on ezboards, but they were also one of my worst sources of direct linkers. I couldn’t just let them have access to all my stuff, because it was killing my bandwidth. What I ended up doing was putting a .htaccess file in my main images directory, and creating a separate public_images directory with no .htaccess file.
/public_images/ on cat.net is the place where I drop files that I don’t mind other people linking to, such as linkback images and personal icons for web boards and the like.
The linkback images you’ve got…chances are, if you want to protect most of your images and not those, you’ll have to do a bit of shifting around. If there’s a way to selectively UNprotect files with .htaccess, it’s news to me…
May 26th, 2002 at 11:14 am
Thank you so much for this!
July 8th, 2002 at 9:31 am
Ello, I came across this place while desperately looking for an answer to an .htaccess question.
I have a hta file in my images folder, as above, to protect my images, and it’s bliss.
However, I have a java applet for my image gallery to show my images and the applet doesn’t seem to like it. Any ideas? I really don’t want to un-hta the images folder, I’d be back to square one.
July 16th, 2002 at 8:50 am
ok - i’m having some trouble with this. when i drop this code into a .htaccess file and put it into my pictures directory, some pictures no longer show up on my weblog. i don’t understand why since my pictures directory and my weblog are both running on the same domain. any tips?
July 19th, 2002 at 2:52 pm
Kristen, you might be having a similar problem to me. I have a cgi script that runs my image galleries and it doesn’t like htaccess at all. If I come up with an answer I’ll make sure I’ll post it here
illona
x
July 19th, 2002 at 2:56 pm
ooh ooh, I forgot to add, if you have hta’s in any directorys ‘above’ - it will process those first. i.e. it’ll move down through file tree and process each one it comes across. I’m just deleting my hta’s above my image folder now to see whether that has a difference.
If you’re on a shared server, make sure you add:
RewriteRule /* http://www.yoursite.com [L,R]
- so that the server knows who ‘you are’ before it commences processing.
~disappears in a mist of hta~
ills
xxx
July 25th, 2002 at 1:59 am
I would like to know how to limit access to a certain page of mine to only those people coming from a specific page from another website. I believe that I can do this with .htaccess but need to know how. I’m not looking to Password protect my page, just limit it’s access to a specific referring URL. Can anyone help? Thanks.
July 25th, 2002 at 8:06 am
I’m still very much a newbie when it comes to htaccess, but I can think of a quick and dirty way with php to do it. On the link from the other page have it pass a variable into the url… for example: http://www.theotherpage.com/page.php?caniseeit=yes
then on your page you check to see if the caniseeit variable is set (and is set correctly) then display the page, otherwise dont.
If you want more specifics (ie. the specific code that goes on your page), let me know
August 1st, 2002 at 1:47 pm
I would prefer to have a rule which permits to authorize all, except the ones I have blacklisted.
there are some domains who are using forum and put images in it, etc. but I don’t mind if Google indexes my images or if someone is asking me the permission to use one of my image.
August 1st, 2002 at 2:13 pm
For Jennifer, on July 25th you responded to my post of the same day. I still am unable to do what I was trying to do as stated in my post and really need some help. Will you write me directly please and I’ll give you all the info on what I am trying to do. If another coder here on the board wants to elp as well, please write. Thank you to all.
September 19th, 2002 at 4:53 pm
Karl to maintain a blacklist you could do this:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^http://siteidontlike.com/.*$
ReWriteRule .*\.(gif|jpg)$ - [N,F,L]
Note the lack of the ! in the referer you don’t like.
Good luck,
Phillip
January 21st, 2003 at 11:51 am
Does someone know how to serve up a different image saying “visit my site at http://www.blah.com” instead of serving up nothing?
Or is someone able to give me a hint?
February 19th, 2003 at 9:13 am
If you don’t have mod_rewrite, you can do this instead:
SetEnvIfNoCase Referer “^http://www.yourdomain.com/” allowed=1
SetEnvIfNoCase Referer “^http://yourdomain.com/” allowed=1
SetEnvIfNoCase Referer “^$” allowed=1
<FilesMatch “\.(gif|png|jpe?g)$”>
Order Allow,Deny
Allow from env=allowed
</FilesMatch>
March 11th, 2003 at 12:33 am
i’ve been having troubles with direct linkers for a while now - mainly with sprites i have adopted being used as images on forums and stuff. i had heard you can block sites with .htaccess but i wanted to know exactly how - this is really great - thanks. i am gonna add it to my site when i update next. i also plan to browse this site some more to see what other cool stuff you have.
May 19th, 2003 at 4:13 am
a beginners article on bandwidth theft, aka hotlinking
October 17th, 2003 at 9:33 pm
I used this .htacces to allow links to ceirtan filetypes, so it’s possible for external docs to link to my php files in the same directory as the images, but not to the images.
SetEnvIfNoCase Referer “^http://www.yourdomain.net/” allowed=1
SetEnvIfNoCase Referer “^http://yourdomain.net/” allowed=1
SetEnvIfNoCase Referer “^$” allowed=1
Order Allow,Deny
Allow from env=allowed
<Files “*.php”>
Order Allow,Deny
Allow from all
</Files>
February 5th, 2004 at 4:59 am
If you can’t see .htaccess files, you can upload and overwrite by uploading blank .htaccess files to remove any authentication scripting you may have set up.
February 19th, 2004 at 5:31 am
OK.. I’ve almost gotten it to block direct linking on every site except the ones I want it to. However, on my LiveJournal userinfo page, it doesn’t seem to want to work. When I add the URL (http://www.livejournal.com/userinfo.bml?user=starsprinkles) to the .htaccess, it still doesn’t allow direct linking — but it does in the journal itself so it’s not LJ as a whole. I was thinking maybe since the userinfo is a .bml that has something to do with it? I’m not at all familiar with .bml so I have no clue, that was just the only thing I could think of.
Anyway, I was thinking for a solution I would just do the public images folder thing. However, I’m unsure as to how to do that if the .htaccess works from the top down. Will I have to put a separate .htaccess in every folder for this to work, or can I have the main .htaccess block direct linking but have a folder that allows it?
February 21st, 2004 at 4:32 pm
Hi,
perhaps I’m thick or summat but I have the module installed and I have put in the .htaccess file as described but none of my images are displayed.
Anybody got an idea what I’m doing wrong
February 22nd, 2004 at 12:21 pm
Hi, I fixed that problem but I have found that if you refresh the page the images do not appear. any clues?
May 1st, 2004 at 12:41 pm
Just to let you know and be aware, anyone can easily get around this by using PHP, or something else to modify the HTTP request to set the ‘Referer’ header line to whatever they want. For example, if someone created a HTTP request to your website that had this in the header area:
Referer: http://YOURSITE.COM/
HTTP_REFERER would be set to that, even if it did not come from you.
May 7th, 2004 at 8:45 pm
hi
i created a site with basic html and java knowledge. i use earthlink hosting and i want to know how or were can i learn about .htaccess files
June 28th, 2004 at 4:35 pm
I’ve seen .htacess codes where you can replace the image they are trying to direct link with another image. How can this be done?
June 28th, 2004 at 4:36 pm
I’ve seen .htaccess codes where you can replace the image they are trying to direct link with another image. How can this be done?
June 29th, 2004 at 3:23 pm
RewriteRule .*\.(gif|jpg|jpeg|bmp)$ http://www.YOURSITE.COM/PATHTO/ALTERNATEIMAGE.jpg [R,NC]
July 3rd, 2004 at 2:47 pm
Thanks so much! I’ve tested it out, and for some reason the alternative image isn’t showing up, however it does stop the images from being hot linked. I’m not sure if it has anything to do with it, but instead of placing the .htaccess file in the root directory, I placed it in a certain folder/directory in which I had the most trouble with ppl direct linking images from. It does fix the main problem and I’m happy about that. I just wish the alternative image would show up because it would be too funny! *giggle*
July 3rd, 2004 at 2:50 pm
whoops I have another problem now. Now the images aren’t showing up on my own site. :-S
July 4th, 2004 at 8:13 am
I see images. Are you still having a problem?
August 3rd, 2004 at 8:09 pm
could this .htaccess protect zip file too? or image only?
how should i write .httaccess to protect from hotlinking to zip file?
thanks a lot
August 4th, 2004 at 4:26 pm
I put the .htaccess file in a certain directory where I had the most trouble with ppl direct linking like my smilies and pixel adoptions. So, only where those images were the ones that weren’t showing up. But I finally realised that for some reason, when I had my internet security enabled is when they wouldn’t show up. Yet, when I would disable it they would show up. I really don’t know why.. maybe something to do with cookies because it happens quite often with other sites images as well. But thank you for trying to help!
August 4th, 2004 at 4:29 pm
cart, I’m not exactly sure but maybe you can try this:
ReWriteRule .*\.(gif|jpg|zip)$ - [N,F,L]
August 12th, 2004 at 12:13 pm
thank a lot tray
i’ll put the code.
now, how i know they can’t hotlink to the file?
can i test with put the url on the address like: http://www.site.com/file.zip ?
or… ?
can tell me how i can test it?
thanks
August 24th, 2004 at 5:09 am
Thank you very much for this piece of code!
September 10th, 2004 at 12:40 am
cart, you’re welcome! I’m not so sure how you can test it out. I had actually wondered the same thing and the only way my pea brain could thing of was to test it out by direct linking to one of my protected images from a forum that I had joined (like sometimes you can direct link your own images, avatars, buttons). But maybe there is a simpler way of testing it. You could possibly be able to create your own html file linking to the file, save it to your desktop and opening it. Make sure you’re connected to the internet of course. Sorry if I wasn’t much help.
October 28th, 2004 at 5:00 pm
this thread may be over two years old but it’s been a lifesaver to me! lately, a third of my bandwidth has been leeched by LiveJournal twirps who have been direct linking to some of my pictures for their LJ background images. i created and uploaded this .htaccess file in five minutes and the problem was solved. thank you so much!!!
December 29th, 2004 at 2:46 am
everytime i do this it will not even allow my site to get the links and if i put it in the main directory it wont even allow me to load my site.. any suggestions?